Don t Be A Phish Deep Dive Into Authentication Techniques

Transcription

1

2 Don t Be A Phish Deep Dive Into Authentication Techniques Hrvoje Dogan, Security Solutions Architect

3 Agenda Introduction to Phishing Hardening Your Infrastructure With Message Authentication: Sender Policy Framework (SPF) Domain Keys Identified Mail (DKIM) Domain-based Message Authentication, Reporting & Conformance (DMARC) Q&A

4 Abstract Phishing is the plague of today's communication. With modern anti-spam rendering legacy spam almost non-existent, different variants of phishing attacks are becoming the primary threat to global systems. Several authentication methods have been around for a while, but their adoption was low and not properly encouraged, and they mostly solved just parts of the problem. However, recent developments upgrade on those legacy techniques, and make message authentication, reporting and visibility part of Internet standards. This advanced session will provide an in-depth review of SPF, DKIM and DMARC, the prevalent message authentication techniques, and how Cisco Security products can utilize them. We will architect a real-world message authentication architecture and show through examples how, once implemented by all parties, it makes phishing with your identity impossible. Proper implementation of authentication techniques not only prevents you from being phished, but also helps protect your identity and brand reputation, and keeps you a reliable, trustworthy communication and business partner.

5 Content Aids Anything in blue Relates to Sender / Signer Anything in magenta Relates to Recipient / Verifier The curious fish that wants to know more Adorns the slides that are For Your Reference The caught fish is our Progress Indicator Note: Some of the concepts laid out will be abstracted/simplified for easier delivery. I will make the best effort to point out when there is more happening behind the scenes but is not practical to deliver in this session. 5

6 Introduction to Phishing

7 Brodet Dalmatian fish stew, usually served with polenta 1 kg of wild fish (scorpion fish, conger eel, angler the more the merrier) 1-2 dl of olive oil 3 onions 6 cloves of garlic 500 gr of tomatoes, diced (canned or fresh) Salt, pepper, parsley leaves, bay leaf Some wine vinegar Cut fish into large pieces. Dice onions and parsley, finely chop garlic. In a medium to large pan, heat olive oil, fry onion until glassy. Add fish and fry shortly. Add tomatoes. Add the rest of the ingredients and enough water to completely cover the fish. Cook on low to medium heat for about one hour, add water if it evaporates. The key to a good brodet is finding out the right amount of wine vinegar to add, to give the tomato sweetness a nice twang. Just experiment!

8 What Is Phishing? phish ing noun \ˈfi-shiŋ\ a scam by which an user is duped into revealing personal or confidential information which the scammer can use illicitly Merriam-Webster Online Dictionary 8

9 A Short History of Phishing First use: 1996, alt.online-service.america-online 2001 Moved to wider Internet, targeting payment systems Easy to spot messages, spelling errors 2003 Legitimate site opens in the background, phisher runs a fake login window in front. Gartner reports global cost of phishing in 2003 at 2.4 billion US$ Implemented data validation with real sites Creating completely fake Websites of imaginary banks and financial firms. 9

10 Phishing Today Country hosting most target sites: USA Top 5 countries by attacked brands: USA, UK, India, Australia, France Most phishing attacks are launched on Fridays Worldwide cost of Phishing in 2012: >1.5 billion US$ Source: RSA Online Fraud Report, Source: APWG Phishing Attack Trends Report 2Q2013,

11 Who Is Attacked? Energy sector targets in Q1: An oil and gas exploration firm with operations in Africa, Morocco, and Brazil; A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria; A natural gas power station in the UK; A gas distributor located in France; An industrial supplier to the energy, nuclear and aerospace industries; Various investment and capital firms that specialize in the energy sector. Source: Cisco TRAC Q Quarterly Threat Briefing 11

12 Hardening Your Infrastructure: SPF

13 Gregada A quick fishermen s hotpot 2 kg of fish (works best with angler fish, but even hake will do. Good with cod, too.) 1 kg of potatoes 1 onion 4-5 cloves of garlic 2 dl of white wine 2 dl of olive oil a splash of lemon juice fish stock a bunch of fresh parsley leaves a pinch of rosemary salt and pepper to taste Cut fish into large pieces. Slice onions into rings, and potatoes into 1-2 cm thick slices. Dice parsley, garlic and rosemary. In a large pot, fry onions on a little olive oil until glassy, add garlic and a little salt, and fry until onion is golden. Add a layer of potatoes, then top with a layer of fish, and top the fish with more potatoes. Add the rest of the olive oil, white wine, and top off with fish stock just to barely cover the potatoes. Add a little bit of cold water. There should be no more than 1 cm of liquid over the potatoes. Cook covered on high flame for 20 minutes. DO NOT STIR! Occasionally shake the pot instead. After 20 minutes, add lemon juice and parsley, and cook uncovered on low heat for a little while until the potatoes are soft. Before serving, let the pot rest for a while, so flavors even out. Sprinkle with olive oil in the plates.

14 Sender Policy Framework A Short Introduction Specified in RFC4408(bis) In a nutshell: Allows recipients to verify sender IP addresses by looking up DNS records listing authorized Mail Gateways for a particular domain Uses DNS TXT(16) or SPF (Type 99) Resource Records SPF RR will be obsoleted due to low use Can verify HELO and MAIL FROM identity (FQDN) 14

15 SPF Operation Work out which machines send Get incoming connection DNS TXT and/or SPF RR Parse SPF record Outgoing msg Just forward it Check remote IP, HELO/EHLO, MAIL FROM Deliver/Drop/ Quarantine 15

16 SPF Record Semantics SPF version acmilan.com IN TXT v=spf1 ip4: all Verification mechanisms 16

17 SPF Record Semantics Mechanisms and Qualifiers IP4 A PASS (+) PTR ALL NEUTRAL (?) IP6 SOFTFAIL (~) INCLUDE EXISTS FAIL (-) MX 17

18 SPF Record Examples cisco.com IN TXT v=spf1 ip4: /27 ip4: /26 ip4: /27 ip4: /24 ip4: /14 ip4: /27 ip4: /24 ip4: /16 ip4: /20 ip4: /24" " ip4: /24 ip4: /27 ip4: /26 ip4: /27 ip4: /26 ip4: /24 mx:res.cisco.com ~all amazon.com IN TXT v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com all amazon.ses.com IN TXT v=spf1 ip4: /22 ip4: /22 ip4: /18 ~all openspf.org IN TXT v=spf1 all 18

19 SPF Record Nesting google.com IN TXT v=spf1 include:_spf.google.com ip4: /31 ip4: /31 ~all _spf.google.com IN TXT v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all _netblocks.google.com IN TXT v=spf1 ip4: /19 ip4: /19 ip4: /20 ip4: /18 ip4: /17 ip4: /20 ip4: /16 ip4: /20 ip4: /20 ip4: /16 ~all _netblocks2.google.com IN TXT v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all _netblocks3.google.com IN TXT v=spf1 ~all Maximum of 10 mechanisms querying DNS (any other than IP4, IP6, ALL)! 19

20 What SPF Does NOT Address Primary purpose of SPF is to validate whether a message sender comes from a legitimate host Only checks Envelope From headers can still be faked Complementary technology, SenderID, checks purported sender ( Purported Responsible Address ) in the headers, but has many shortcomings Does not ensure message integrity Does not prevent intra-domain forgery 20

21 SPF Best Practices Plan to include - all in your SPF records Consider all legitimate servers sending on your behalf Make it part of security policy for roaming users to use authenticated SMTP on your gateways for sending outgoing mail Add your relay hosts HELO/EHLO identity to SPF records Create SPF records for all of your subdomains too Publish null SPF records for domains/hosts that don t send mail! nomail.domain.com. IN TXT "v=spf1 - all" Only include MX mechanism if your incoming mail servers also send outgoing mail (for now) Publish both TXT and SPF DNS Resource Records with your SPF record data. 21

22 Setting up SPF DNS Records and Configuring SPF Verification on Cisco ESA

23 Hardening Your Infrastructure: DKIM

24 (Musky) Octopus Salad Musky Octopus is Octopus smaller cousin, called muzgavac or mrkač in Croatian 2 kg of Musky Octopus (regular octopus will do too) 2 large-ish potatoes a bunch of fresh parsley 10 cloves of garlic 1 dl of olive oil juice of 1 lemon wine vinegar to taste salt and freshly ground pepper to taste Deep freeze the (cleaned) octopus. This makes it softer and easier to cook. Dice potatoes in small cubes, and cook them. Put octopus in cold water, and cook over low flame for 40-ish minutes from boiling. If there is skin on them, you will know it s done when the skin starts falling off. Drain them, let them cool down and peel the skin. Dice the octopus in 1 cm cubes. Finely chop garlic and parsley. Add salt, pepper, lemon juice, 3 tbsp of wine vinegar, parsley, garlic and olive oil to diced octopus. Add potatoes. Mix well. Serve cold.

25 Domain Keys Identified Mail A Short Introduction Specified in RFC5585 Additional RFCs: RFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP)) In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing messages, embedding verification data in an header, and ways for recipients to verify integrity of the messages Uses DNS TXT records to publish public keys 25

26 DKIM Operation Generate keypair Receive msg Outgoing msg Canonicalize + Sign DNS TXT RR Parse DKIM- Signature Verify b and bh Insert DKIM-Signature Deliver/Drop/ Quarantine 26

27 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 27

28 DKIM Signature Algorithms RSA-SHA1 or RSA-SHA256 Signers MUST Verifiers MUST Signers SHOULD Verifiers MUST Max. practical key length 512 bits 1024 bits 2048 bits Verifiers MUST Signers MUST (for long-lived keys) Verifiers MUST Verifiers MAY 28

29 DKIM Signature Canonicalization Process of adapting the message content for signing to compensate for minor changes by MTAs in transit MUST NOT change the transmitted data in any way; just its presentation Two canonicalization schemes are supported for both headers and body: Simple (almost no modification tolerated) Relaxed (some modification, like header name case changes, line wrapping, whitespace replacement allowed) 29

30 DKIM Signature Header Canonicalization Simple Header Canonicalization No changes to headers Retains order, case and whitespacing Relaxed Header Canonicalization Header names -> lowercase Unfolds all multiline headers Replaces sequences of WSP characters with a single WSP Deletes WSP characters at EOL Deletes WSP before and after the colon separating the field name from the value 30

31 DKIM Signature Header Canonicalization in Action Return- Path: v- X- Original- To: Delivered- To: Received: from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [ ]) by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01E for Thu, 26 Dec :03: (CET) Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of v- designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- sender=v- x- conformance=sidf_compatible; x- record- type="v=spf1 Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of designates as permitted sender) identity=helo; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- x- conformance=sidf_compatible; x- record- type="v=spf1 Authentication- Results: mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified) X- IronPort- Anti- Spam- Filtered: true 31

32 DKIM Signature Header Canonicalization in Action return- path:v- x- original- delivered- received:from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [ ]) by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01E for Thu, 26 Dec :03: (CET) received- spf:pass (mx1.hc4-93.c3s2.smtpi.com: domain of v- designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- sender=v- x- conformance=sidf_compatible; x- record- type="v=spf1 received- spf:pass (mx1.hc4-93.c3s2.smtpi.com: domain of designates as permitted sender) identity=helo; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from=v- x- x- conformance=sidf_compatible; x- record- type="v=spf1 authentication- results:mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified) x- ironport- anti- spam- filtered:true 32

33 DKIM Signature Body Canonicalization Simple Body Canonicalization No changes to the message, except: removes any empty lines at the end of the message body adds CRLF at the end of the message body, if not already there Relaxed Body Canonicalization Simple Canonicalization, plus: Ignores all WSP characters at EOL Replaces sequences of WSP characters in a line into a single WSP 33

34 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 34

35 DKIM Signature Signing Domain ID and Selector Signing Domain ID (SDID) Identifies the entity claiming responsibility for the signed message Must correspond to a valid DNS name under which a DKIM key is published Selector Enables publishing of multiple keys per signing domain Use cases: Periodic key rotations Delegating/splitting signing authority for different OUs Delegating signing authority to 3 rd parties Allowing roaming users to sign their own messages 35

36 DKIM Signature Example DKIM-Signature Header Algorithms used Signing Domain ID Signed Headers Header Hash Body Hash Canonicalization scheme DKIM- Signature: v=1; a=rsa- sha256; c=relaxed/relaxed; Selector d=gmail.com; s= ; h=mime- version:date:message- id:subject:from:to:content- type; bh=pmd4zyid1vn/f7rzay6leon+d+w+adlvsr6i0zryofa=; b=n3ebxt5dwnbeissypkt6zokheb8ju51f4x8h2bkhdwk9ypok8duu4zglh srfefcvf+/2xepnqaivtkme0h7zti8yvv6ldeqtjqqwqq/ra7wsn4tjg4b JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq ufiotazwmhifnl+nhr06v0pwscqhssccuk0etdu9uqyf8bdn4opkhg7tz SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg== 36

37 DKIM Public Key Retrieval DNS query: <selector>._domainkey.<sdid> For our example: _domainkey.gmail.com IN TXT k=rsa\; p=miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqea1kd87/uejjenpabg bfwh+ebcsstrqmwiyyvywlbhbqoo2dymndfkbjovipildns/m40kf+yzmn1skyo xctugcqs8g3fgd2ap3zb5dekao5wmmk4wimdo+u8qzi3sd0" "7y2+07wlNWwIt 8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIh kx4xysic9oswvmal5octmeewuwg8istjqz8bzetwbf41fbnhte7y+yqzowq1s d0dbvyad9nozk9vlfuac0598hy+vtsbczuikerhv1yrbcaqtzfh5wtirrn04b LUTD21MycBX5jYchHjPY/wIDAQAB 37

38 DKIM Signature Anatomy of the DKIM-Signature Header Mandatory tags V A D S H B BH Optional tags C I L Z Recommended tags T X 38

39 DKIM Signature Tags Expanded View Required signature tags: v, a, d, s, h, b, bh Optional signature tags: c defaults to simple/simple i Agent or User ID usually corresponds to sender s address l Body length z Copied header fields, separated by used for diagnostics Recommended signature tags: t Signature timestamp in Unix Epoch time, GMT x Signature expiration in Unix Epoch time, GMT. Must be greater than t time 39

40 DKIM Public Key Anatomy of the DKIM DNS Record Mandatory tags P Optional tags H=SHA1 K=RSA S= T=Y T=S G N Recommended tags V=DKIM1 40

41 DKIM Public Key Expanded Tags Only p tag is required Optional tags: h acceptable hash algorithms k key type n notes (for human interpretation) s service type g key granularity; local part of the i tag of the signature must be equal to it t flags y This domain is testing DKIM s if i tag is used in signature, domain part of the i tag must be equal to d tag. Recommended to be present if no subdomains are used. Recommended tags: v Version of the DKIM key record. If present, must be DKIM1. 41

42 DKIM Public Key Examples iport._domainkey.cisco.com IN TXT v=dkim1\; s= \; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcctxghjnvnpdcqljm6a/ 0otvdpzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbyZ0 UyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qwtbanjWJzEPpV vrvbuz9ql8cuts+v5n5ldq8l/lwidaqab\; lufthansa3._domainkey.lufthansa.com IN TXT g=*\; k=rsa\; t=y\; n="contact with any questions concerning this signing"\; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqda7e WF9kW/HY6ppS6g3U6Be0JRfu59Iv3oYgW+ztDJK1HsLf/hmah4buPBtVaGb CagDNN7wK12uhs6ko6f4SulZpwqVdtp1R6jujvW56hcNhx4RJ0E17mefniciwYfQx DhQmE8lkUzJR4BXWuKsPSSSy/pT3rM+LusuTAbFWKsMQIDAQAB\; 42

43 Choosing Your DKIM Parameters Make the best use of selectors Periodic key rotation Delegation of signing authority Sacrificing security for performance If you must, consider weakening your signatures in the following order: Reduce the signing key size (and combine with selector rotation) Use simple for body canonicalization Use simple for headers canonicalization Change signing algorithm to sha-1 However, RFC6376 says: Signers MUST implement and SHOULD sign using rsa- sha256 43

44 Configuring DKIM Signing and Verification Using Cisco ESA

45 DKIM Advertisement Problem and ADSP The biggest problem of DKIM is that there is no straightforward advertising Unsigned messages can come in unverified ADSP (Author Domain Signing Practices, RFC5617) is an extension to DKIM A DNS-based method for sender domains to advertise that they are signing messages A simple TXT record at _adsp._domainkey.<domain>, containing just: dkim=unknown all discardable ADSP is obsoleted as of November 2013 due to lack of deployment _adsp._domainkey.yahoo.com IN TXT dkim=unknown 45

46 Hardening Your Infrastructure: DMARC

47 Sardines on a spit Traditional dish of fishermen from the island of Vis 1 kg of fresh sardines coarse-grain sea salt a branch of fresh rosemary olive oil This extremely simple dish is a secret specialty of fishermen from Croatia s most remote island, Vis. Do google it. The recipe includes a bit of DIY: You need to make (well, or buy) a thin spit out of non-taninreleasing wood. Bay leaf branches work best. The spit should be up to 1 cm wide, as thin as possible, and sharp at one end. Dip the branch of rosemary in little olive oil. Wipe the sardines with a rough cloth to remove the scales, and let them covered in sea salt for about half an hour, to make the fish firmer. Slide the fish on the spit so the spit is always under the spine. Place the spit over burning coal, with spine facing up. This is critical, because if you miss sides, fish will fall off as you turn it. Grill it for a few minutes, then turn once, grill for another few minutes, and set aside in a pot, cover, and let them sit for a few more minutes. Never turn the fish more than once. Sprinkle with rosemary-infused olive oil, and serve with potato salad, or freshly baked bread. This is probably the crudest, and best way to cook sardines. Enjoy!

48 DMARC is designed to prevent bad actors from sending mail which claims to come from legitimate senders, particularly senders of transactional . One of the primary uses of this kind of spoofed mail is phishing draft-kucherawy-dmarc-base-02 IETF Network Working Group

49 Moving Towards DMARC Both DKIM and SPF have shortcomings, not because of bad design, but because of different nature of each technology DKIM policy advertising was addressed by ADSP, but: There was no visibility by spoofed parties into offending traffic Even though a receiver implemented both SPF and DKIM verification, there was no requirement of the two technologies being in sync A smart attacker might make use of this to push illegitimate messages through SPF checks HELO/MAILFROM identity, but no verification or alignment of Header From is ensured Thus, DMARC was born: Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection policies and have visibility of offending traffic 49

50 DMARC Operation Publish SPF SPF (or TXT) DNS RR Check SPF Align Identifiers Publish DKIM DKIM (TXT) DNS RR Check DKIM Apply DMARC Policy Publish DMARC DMARC (TXT) DNS RR Fetch DMARC Policy Send DMARC Report(s) Outgoing msg Insert DKIM-Signature Check SPF on Header From 50

51 DMARC Policy Example of a DMARC DNS Record Version Failure policy Sampling rate _dmarc.amazon.com IN TXT v=dmarc1\; p=quarantine\; pct=100\; rua=mailto:dmarc- reports@bounces.amazon.com\; ruf=mailto:dmarc- reports@bounces.amazon.com Failure Reports URI Aggregate Reports URI 51

52 DMARC Policy Policy Specification and Slow Start Policies requested by senders: None Quarantine Reject Receivers MAY deviate from requested policies, but SHOULD inform the sender why (through Aggregate Report) Sampling rate ( p tag) instructs the receiver to only apply policy to a fraction of messages 52

53 DMARC Policy Reporting URIs mailto: and URIs supported Two distinct report types: Aggregate report Sent on an interval Summary of all incidents from a particular sender domain Failure report Sent on (every) failure Detailed report on individual failures 53

54 DMARC Policy Anatomy of the DMARC DNS Record Mandatory tags V=DMARC1 P Optional tags PCT SP ADKIM ASPF RI RUA RF FO RUF 54

55 DMARC Policy Adherence to SPF/DKIM Sender can request Strict ( s ) or Relaxed ( r, default) adherence to DKIM and SPF DKIM ( adkim ): Relaxed: Header From FQDN can be a subdomain of d tag of DKIM signature Strict: Header From FQDN must completely match the d tag of DKIM SPF ( aspf ): Relaxed: Header From domain can be a subdomain of SPF-Authenticated (MAIL FROM) domain Strict: Header From domain must match MAIL FROM domain 55

56 DMARC Policy Failure Reporting Two supported Report Formats ( rf ): afrf Authentication Failure Reporting Format, defined in RFC6591, and extended by draft-kucherawydmarc-base (default) iodef Incident Object Description Exchange Format, defined in RFC5070 Failure reporting options ( fo ), separated by colons in the Policy Record: 0 : generate a report if all underlying mechanisms fail to align and pass (default) 1 : generate a report if any underlying mechanisms fail to align and pass d : generate a DKIM failure report if DKIM verification fails, regardless of alignment s : generate an SPF failure report for failed SPF verification, regardless of alignment 56

57 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; 57

58 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 58

59 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 59

60 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com 60

61 DMARC Reporting Delegating Reporting Authority _dmarc.facebook.com IN TXT "v=dmarc1\; p=reject\; pct=100\; facebook.com._report._dmarc.ruf.agari.com IN TXT v=dmarc1 61

62 DMARC Record Examples _dmarc.google.com IN TXT v=dmarc1\; p=quarantine\; rua=mailto:mailauth- _dmarc.cs.helsinki.fi IN TXT v=dmarc1\; p=reject\; sp=reject\; pct=100\; aspf=r\; rua=mailto:dmarc- _dmarc.microsoft.com IN TXT v=dmarc1\; p=none\; pct=100\; fo=1 _dmarc.dk- hostmaster.dk IN TXT v=dmarc1\; p=none\; rua=mailto:dmarc- hostmaster.dk\; ruf=mailto:dmarc- hostmaster.dk\; adkim=r\; aspf=r\; rf=afrf 62

63 DMARC Identifier Alignment When Does A Message Pass? DMARC authenticates the domain from Header From DKIM authenticates the domain from DKIM-Signature ( d tag) SPF authenticates domains from MAIL FROM or HELO identities Identifier Alignment is a concept of alignment between Header From and identifiers checked by DKIM and SPF Message passes DMARC check if one or more of the authentication mechanisms (DKIM and/or SPF) pass with proper alignment 63

64 DMARC Policy Anatomy of the DMARC DNS Record Mandatory tags V=DMARC1 P Optional tags PCT SP ADKIM ASPF RI RUA RF FO RUF 64

65 DMARC Policy Adherence to SPF/DKIM Sender can request Strict ( s ) or Relaxed ( r, default) adherence to DKIM and SPF DKIM ( adkim ): Relaxed: Header From FQDN can be a subdomain of d tag of DKIM signature Strict: Header From FQDN must completely match the d tag of DKIM SPF ( aspf ): Relaxed: Header From domain can be a subdomain of SPF-Authenticated (MAIL FROM) domain Strict: Header From domain must match MAIL FROM domain 65

66 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test 66

67 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test 67

68 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s 68

69 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 69

70 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 70

71 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test MAIL FROM: <hdogan@linux.hr> From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 71

72 DMARC Identifier Alignment: SPF MAIL FROM: From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test aspf= r aspf= s MAIL FROM: <hrdogan@cisco.com> From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test MAIL FROM: <hdogan@linux.hr> From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 72

73 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 73

74 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s 74

75 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 75

76 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 76

77 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test DKIM- Signature: v=1; [ ] d=linux.hr;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test 77

78 DMARC Identifier Alignment: DKIM DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test adkim= r adkim= s DKIM- Signature: v=1; [ ] d=cisco.com;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@mail.cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test DKIM- Signature: v=1; [ ] d=linux.hr;[ ] From: Hrvoje Dogan (hrdogan) <hrdogan@cisco.com> To: Hrvoje Dogan <hdogan@dir.hr> Subject: DMARC test Multiple DKIM signatures? Any must validate and align. 78

79 DMARC How to start 1. Correctly deploy DKIM and SPF 2. Make sure that your identifiers will align 3. Publish a DMARC record with p=none, gather rua and ruf reports for a while 4. Analyze the data and modify your mail streams (or DKIM/SPF parameters) 5. Apply reject or quarantine policy 79

80 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 80

81 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 81

82 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 82

83 DMARC How to Delegate Create a subdomain for your 3 rd party mailers Provide them with your DKIM signing key Make sure adkim is set to strict, and aspf set to relaxed if needed Received: from mta3.e.tripadvisor.com ([ ]) by mx1.hc4-93.c3s2.smtpi.com with ESMTP; 01 Jan :16: Received- SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of bounce _HTML @bounce.e.tripadvisor.com designates as permitted sender) identity=mailfrom; client- ip= ; receiver=mx1.hc4-93.c3s2.smtpi.com; envelope- from="bounce _HTML @bounce.e.tripadvisor.com"; x- sender="bounce _HTML @bounce.e.tripadvisor.com"; x- conformance=sidf_compatible; x- record- type="v=spf1 DKIM- Signature: v=1; a=rsa- sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com; h=from:to:subject:date:list- Unsubscribe:MIME- Version:Reply- To:Message- ID:Content- Type; i=members@e.tripadvisor.com; bh=zncj7ir0d/hc0m9uybyzydudczq=; b=afqcdgz2vg8z38jbi8xku +c8vp3q89jcmlptrfo1otrv21ujsqgw1fkcfbzglzxnyque8tlgqjy2akacav2yiizpogw6phnmmdmmxg2i5ufgqvipfzezvtu Q/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ= From: "TripAdvisor" <members@e.tripadvisor.com> 83

84 DMARC deployment using Cisco ESA

85 Don t Be A Phish Deploy DMARC! DMARC provides Easy, simple and powerful existing-standards-based message authentication Flexibility and gradual deployment A chance to clean up your mail flows and tighten up messaging security Easy protection from most phishing attacks both as phish and as bait! and endless opportunities for corny fish jokes. DON T BE A PHISH. IT S SIMPLE. 85

86 For More Information Presentation videos: 86

87 Image credits Most photography on title slides courtesy of Novi List, used with permission of the Editor of Photography. Authors of photography: Sergej Drechsler, Petar Fabijan, Marko Gracin, Roni Brmalj, Damir Škomrlj, Silvano Ježina, Livio Černjul Original artwork for icons and progress indicator done in ink on paper by Ivica Matić, Special credits go to Helenka, for her relentless work on producing these slides 87

88 Call to Action Visit the World of Solutions:- Cisco Campus Cisco Security Walk-in Labs Technical Solutions Clinics Hrvoje Dogan, Dan Griffin, Tom Foucha, Scott Bower Meet the Engineer Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 88

89 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 89

90